ISO: Going Beyond Manufacturing

Typically, ISO (International Standards Organization) brings to mind the manufacturing sector and quality control requirements. But there is another ISO standard -- ISO 27001: 2005 -- that spans all industries, and banks would do well to pay it mind, according to Barry Kouns, VP with risk mitigation consultancy Churchill & Harriman (Princeton, N.J.).

ISO 27001 is an information security standard designed to give organizations a means for providing clients, partners and regulators with proof that they adhere to an internationally recognized set of information security controls. Its sister document, ISO 17799: 2005, describes 133 best practices for information security, along with implementation advice. Together, the two standards create a certifiable framework for protecting information assets.

Kouns says becoming ISO-compliant is a culture-changing process that necessitates the involvement of the entire enterprise. "The standard requires a specific approach to risk assessment, treatment, identification of assets, monitoring and continuous improvement. It can't be something the IT department does on its own," he relates. "You need senior management buy in [to ISO 27001]."

The financial services industry is primed for adoption of such a standard, claims Kouns. In March, the Federal Reserve Bank of New York became the first U.S. organization to be certified to the ISO 27001 standard. And with all the negative publicity around data breaches at many of the nation's top financial institutions, Kouns stresses that banks can only benefit from 27001.

In the '90s, Kouns explains, ISO 9000 addressed quality in manufacturing and certification that is now required in order to do business in certain countries. The same trend will occur with 27001, he says. "The [European Commission] is putting more pressure on U.S. companies to demonstrate the capabilities of their information security systems."

Standard Customization

Kouns says companies should not be discouraged by the more than 100 best practices dictated by 27001 since the standard is scalable. It is not necessary to implement the standard for the entire enterprise, he says; a business can certify one application, process or department.

Once the scope of the rollout is determined, then organizations must act to be compliant with a set of predetermined best practices and requirements in management, Kouns adds. However, "A company can provide legitimate rationale explaining why [a best practice] doesn't apply to them," he notes.

Kouns asserts that 27001 -- which now is voluntary -- complements existing regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley. "[27001] forces organizations to pull their silos together to gain efficiencies and provide a common framework for addressing compliance," he explains.

Kouns warns that companies should not be blinded by the technology piece of the compliance puzzle. Instead, he says, it is vital to think about the management system required by the standard to "safeguard your assets and empower the organization with a risk assessment methodology that provides treatment for the risks as they evolve. The technology part comes after all this."